Mailinglist Archive: opensuse (1761 mails)

Re: [opensuse] OT slightly: Manually recognizing SPAM emails

From:
Sandy Drobic <opensuse@xxxxxxxxx>

Date:
Wed, 25 Aug 2010 00:04:45 +0200

Message-id:
<4C7441FD.60706@xxxxxxxxx>

On 24.08.2010 22:37, Duaine Hechler wrote:

Because I have a business and don't want to take the chance of deleting
something I may want to get, I have been using the IP address as well as
a few keywords to build my own spam control - so far blocking about 99%.

However, is there any tell tale signs in the email headers to look for ?

Any website that tells how to block spam using info from the headers ?

Any such Website would make the spam problem even worse. You should only block
spam directly on the first server that receives mails for a domain. If you
reject the mail later you bounce the mail to the sender address.
Unfortunately, in case of spam the sender address is almost always falsified,
so you bounce the mail to the innocent third party. This case of spam is
called backscatter.

In other words, your own server turns into a source of spam and will soon be
blacklisted.

So, if you do not control the mx of your domain, please do not reject the
mail. For the mx of the domain there are a lot of measures to cut spam down.

If you use Postfix (the default MTA on opensuse systems) you can use
header_checks to reject mails that match certain expressions. Unfortunately,
spam is changing so fast that it is too much trouble to update the
header_checks every day. Usually a spam wave lasts for 4-12 hours, so when you
have analyzed the recent spam and updated the header_checks, the spam run is
already over and the spams don't get caught any more.

Even worse is the danger of false positives. You reject innocent mails that
match your quickly written rule. Since you don't read the mail you can't even
check if the mail was actually a spam or not.

That is the reason why it is much safer to add your own patterns to
spamassassin. That way you can safely add/reduce points of the score.